logo

Greetings from the '90s: Exploiting the Design of Industrial Controllers in Modern Settings

Conference:  BlackHat USA 2021

2021-11-11

Summary

The presentation discusses the vulnerability of modern PLCs and the need for redesigning their software and hardware to match the current threat landscape.
  • The approach to enumerate and manipulate function blocks on modern PLCs is applicable to any industrial environment and uses stealth techniques that are undetectable.
  • The impact of the vulnerability is significant, but the techniques used are simple and outdated.
  • There are currently no device-level mitigations for this type of vulnerability, and the only existing line of work is top 20 secure PLC coding practices.
  • Mitigation opportunities exist on current PLCs, but they only offer partial solutions in certain circumstances.
  • The presentation emphasizes the need for vendor-centric redesign of PLC software and hardware to address the current threat landscape.
  • Asset owners are often blamed for incidents, but it is difficult to secure something when the attack surface is not clearly understood.
  • The presentation concludes that vendors need to take responsibility for vulnerabilities in their products.
The presentation highlights the simplicity of the techniques used to exploit modern PLCs, which are 25-30 years old in the IT world. The design of modern PLCs does not match the current threat landscape, and the PLC software is largely under-researched. The only existing line of work is top 20 secure PLC coding practices, which is not enough to address the vulnerability. The presentation emphasizes the need for a vendor-centric approach to redesigning PLC software and hardware to match the current threat landscape.

Abstract

Recent years have witnessed a growing volume of research on the security of embedded systems used in industrial process control applications, including Programmable Logic Controllers (PLC) and Remote Terminal Units (RTU). This increased interest reflects both the large number of “low-hanging fruit” vulnerabilities, making industrial controllers attractive research targets, and an increased interest from adversaries to subverting industrial processes. To date, research efforts have predominantly focused on firmware vulnerabilities, or bypassing traditional security controls implemented as part of the PLCs software. In this talk we will introduce a novel exploitation vector, one previously unconsidered in existing works. More specifically, we will show how PLC programming practices, user APIs, and memory allocation for function blocks from the Library Functions open the door to automated enumeration of PLC control logic, identification of key infrastructure configuration parameters and process control variables, and their consequent targeted manipulation to achieve a desired attack impact. Additionally, allocated but unused memory can be applied to the establishment of covert C2 channels, from which attackers are afforded with the ability to run standard security tools, exfiltrate data and execute high-precision cyber-physical attacks on previously inaccessible network segments. To keep the story realistic and interesting, we formulate our threat scenario around a realistic industrial network architecture with the advisable security measures, including the integration of network monitoring and segregation from the Internet via firewalls.The set of proposed exploitation techniques is stealthy and allows for the development of fully automated physical damage payloads of high precision, significantly raising the level of attacker capabilities. The main purpose of this talk is to initiate a discussion around the need for guidance and best practices to support DevSecOps for industrial equipment, which take into account the engineering designs of equipment, and specifics of its usage in cyber-physical applications. Current PLC software designs and programming practices are still largely under-researched. With this talk we provide an example of their unexplored attack surface and a novel vulnerability class, and invite the security community to further research into the topic.

Materials:

Tags: